forked from lix-project/lix
Add some tests for drop-supplementary-groups
This commit is contained in:
parent
746c6aae3f
commit
d8ef0c9495
5 changed files with 92 additions and 2 deletions
|
@ -4,7 +4,7 @@ if [[ -z "${COMMON_SH_SOURCED-}" ]]; then
|
|||
|
||||
COMMON_SH_SOURCED=1
|
||||
|
||||
source "$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")/common/vars-and-functions.sh"
|
||||
source "$(readlink -f "$(dirname "${BASH_SOURCE[0]-$0}")")/common/vars-and-functions.sh"
|
||||
if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
|
||||
startDaemon
|
||||
fi
|
||||
|
|
|
@ -4,7 +4,7 @@ if [[ -z "${COMMON_VARS_AND_FUNCTIONS_SH_SOURCED-}" ]]; then
|
|||
|
||||
COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1
|
||||
|
||||
export PS4='+(${BASH_SOURCE[0]}:$LINENO) '
|
||||
export PS4='+(${BASH_SOURCE[0]-$0}:$LINENO) '
|
||||
|
||||
export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
|
||||
export NIX_STORE_DIR
|
||||
|
|
56
tests/hermetic.nix
Normal file
56
tests/hermetic.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
{ busybox, seed }:
|
||||
|
||||
with import ./config.nix;
|
||||
|
||||
let
|
||||
contentAddressedByDefault = builtins.getEnv "NIX_TESTS_CA_BY_DEFAULT" == "1";
|
||||
caArgs = if contentAddressedByDefault then {
|
||||
__contentAddressed = true;
|
||||
outputHashMode = "recursive";
|
||||
outputHashAlgo = "sha256";
|
||||
} else {};
|
||||
|
||||
mkDerivation = args:
|
||||
derivation ({
|
||||
inherit system;
|
||||
builder = busybox;
|
||||
args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
|
||||
} // removeAttrs args ["builder" "meta" "passthru"]
|
||||
// caArgs)
|
||||
// { meta = args.meta or {}; passthru = args.passthru or {}; };
|
||||
|
||||
input1 = mkDerivation {
|
||||
shell = busybox;
|
||||
name = "hermetic-input-1";
|
||||
buildCommand = "echo hi-input1 seed=${toString seed}; echo FOO > $out";
|
||||
};
|
||||
|
||||
input2 = mkDerivation {
|
||||
shell = busybox;
|
||||
name = "hermetic-input-2";
|
||||
buildCommand = "echo hi; echo BAR > $out";
|
||||
};
|
||||
|
||||
input3 = mkDerivation {
|
||||
shell = busybox;
|
||||
name = "hermetic-input-3";
|
||||
buildCommand = ''
|
||||
echo hi-input3
|
||||
read x < ${input2}
|
||||
echo $x BAZ > $out
|
||||
'';
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
mkDerivation {
|
||||
shell = busybox;
|
||||
name = "hermetic";
|
||||
passthru = { inherit input1 input2 input3; };
|
||||
buildCommand =
|
||||
''
|
||||
read x < ${input1}
|
||||
read y < ${input3}
|
||||
echo "$x $y" > $out
|
||||
'';
|
||||
}
|
|
@ -93,6 +93,7 @@ nix_tests = \
|
|||
misc.sh \
|
||||
dump-db.sh \
|
||||
linux-sandbox.sh \
|
||||
supplementary-groups.sh \
|
||||
build-dry.sh \
|
||||
structured-attrs.sh \
|
||||
shell.sh \
|
||||
|
|
33
tests/supplementary-groups.sh
Normal file
33
tests/supplementary-groups.sh
Normal file
|
@ -0,0 +1,33 @@
|
|||
source common.sh
|
||||
|
||||
requireSandboxSupport
|
||||
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
||||
if ! command -p -v unshare; then skipTest "Need unshare"; fi
|
||||
needLocalStore "The test uses --store always so we would just be bypassing the daemon"
|
||||
|
||||
unshare --mount --map-root-user bash <<EOF
|
||||
source common.sh
|
||||
|
||||
setLocalStore () {
|
||||
export NIX_REMOTE=\$TEST_ROOT/\$1
|
||||
mkdir -p \$NIX_REMOTE
|
||||
}
|
||||
|
||||
cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1)
|
||||
|
||||
# Fails with default setting
|
||||
# TODO better error
|
||||
setLocalStore store1
|
||||
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||
|
||||
# Fails with `drop-supplementary-groups`
|
||||
# TODO better error
|
||||
setLocalStore store2
|
||||
NIX_CONFIG='drop-supplementary-groups = true' \
|
||||
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||
|
||||
# Works without `drop-supplementary-groups`
|
||||
setLocalStore store3
|
||||
NIX_CONFIG='drop-supplementary-groups = false' \
|
||||
"\${cmd[@]}"
|
||||
EOF
|
Loading…
Reference in a new issue